News Archives

Sunday, February 7, 2016

Moment of Truth for the DPAs

In the six days since the European Commission announced an agreement with the US on a new framework for transatlantic data flows, the following developments are the most salient:

No new details about the framework have emerged.

Neither the Commission nor US officials have established any deadline for completion of the negotiations or indicated any limit to how long the talks may continue.

Isabel Falque-Pierrotin, the chair of the Article 29 Working Party, has said that it is likely to be at least mid-to-late April before the Working Party is able to reach a position on whether the Privacy Shield offers sufficient protection for European data. Her estimate assumes that the agreement will be finalized and all relevant documents provided to the Working Party by the end of February.

Falque-Pierrotin re-affirmed previous statements from the Working Party that companies continuing to rely upon Safe Harbor risk being subject to enforcement action immediately, while those relying upon model contracts or BCRs may continue to do so until the Working Party’s evaluation of the Privacy Shield has been completed.

Even if the agreement is finalized at some point, it will take additional months to put the guarantees it calls for, such as the creation of an Ombudsman in the US State Department and enactment of the Judicial Redress Act, in place. Companies will not be able to participate in the new framework until such measures have been implemented.

Both supporters and critics of the Privacy Shield expect it to face significant legal challenges from privacy advocates and consumer groups in Europe.

After three months of anticipation that a definitive moment of regulatory clarity was at hand, where do these developments leave us? Sadly, in a state of murk, confusion and uncertainty that could last for many months. Whether the EU’s 44 independent data protection authorities will swallow further delays that could be indefinite and defer enforcement actions that are within their powers is the big question. Prognostication in these matters is always risky, but it is difficult to imagine that they will not initiate coordinated enforcement actions within the next few weeks against companies still relying upon Safe Harbor.Update: On February 8, Forbes reported that Commissioner Jourova had tweeted the previous day that the texts of the Privacy Shield are "being finalized" and will be "unveiled" during the second half of February. Whether this time frame represents her aspiration or something more concrete remains to be seen.